Cybersecurity Violations Potentially Actionable under the False Claims ActA California federal court recently allowed a relator’s False Claims Act suit against two federal contractors to proceed where the relator’s allegations centered on purported noncompliance with federal cybersecurity requirements. As discussed below, this case should serve as a wake-up call to federal contractors, as it not only confirms that perceived noncompliance with federal cybersecurity requirements may give rise to liability under the False Claims Act, but it also provides a potential roadmap for other relators.

Summary of Relevant Cybersecurity Requirements

By way of background, the court summarized the relevant cybersecurity requirements as follows:

Government contracts are subject to Federal Acquisition Regulations [FAR] and are supplemented by agency specific regulations. On November 18, 2013, the DoD issued a final rule, which imposed requirements on defense contractors to safeguard unclassified controlled technical information from cybersecurity threats.  48 C.F.R. § 252.204-7012 (2013). The rule required defense contractors to implement specific controls covering many different areas of cybersecurity, though it did allow contractors to submit an explanation to federal officers explaining how the company had alternative methods for achieving adequate cybersecurity protection, or why standards were inapplicable. See id. In August 2015, the DoD issued an interim rule, modifying the government’s cybersecurity requirements for contractor and subcontractor information systems. 48 C.F.R. § 252.204-7012 (Aug. 2015).  The interim rule incorporated more cybersecurity controls and required that any alternative measures be “approved in writing prior by an authorized representative of the DoD [Chief Information Officer] prior to contract award.” Id. at 252.204-7012(b)(1)(ii)(B). The DoD amended the interim rule in December 2015 to allow contractors until December 31, 2017 to have compliant or equally effective alternative controls in place. See 48 C.F.R. § 252.204-7012(b)(1)(ii)(A) (Dec. 2015). Each version of this regulation defines adequate security as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” 48 C.F.R. § 252.204-7012(a).

Further, as the court explained:

Contractors awarded contracts from NASA must comply with relevant NASA acquisition regulations. 48 C.F.R. § 1852.204-76 lists the relevant security requirements where a contractor stores sensitive but unclassified information belonging to the federal government. Unlike the relevant DoD regulation, this NASA regulation makes no allowance for the contractor to use alternative controls or protective measures. A NASA contractor is required to “protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure.” 48 C.F.R. § 1852.204-76(a).

Factual and Procedural Background

The relator worked for the defendants, two companies that “develop and manufacture products for the aerospace and defense industry,” as the senior director of Cyber Security, Compliance, and Controls from June 2014 to September 2015.

The relator alleges that the defendants “fraudulently entered into contracts with the federal government despite knowing that they did not meet the minimum standards required to be awarded a government contract.”

The relator also alleges “that when he started working for defendants in 2014, he found that defendants’ computer systems failed to meet the minimum cybersecurity requirements to be awarded contracts funded by the DoD or NASA.”  He claims that the defendants knew that they were “not compliant with the relevant standards as early as 2014,” and that they “repeatedly misrepresented [their] compliance with these technical standards in communications with government officials.”

The relator additionally alleges “that the government awarded [one of the companies] a contract based on these allegedly false and misleading statements,” and that “[i]n July 2015, relator refused to sign documents that defendants were now compliant with the cybersecurity requirements, contacted the company’s ethics hotline, and filed an internal report.”

Defendants terminated relator’s employment in September 2015, and the relator filed his initial complaint with the court in October 2015. In his complaint, the relator alleges, among other things, that defendants violated the False Claims Act, which imposes liability on anyone who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval,” 31 U.S.C. § 3729(a)(1)(A), or “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim,” id. § 3729(a)(1)(B).

Thereafter, the defendants filed a motion to dismiss the case, alleging that the relator had failed to state a claim upon which relief can be granted. The court, however, denied the defendants’ motion to dismiss the relator’s primary False Claims Act count, concluding that the “relator has plausibly pled that defendants’ alleged failure to fully disclose its noncompliance [with federal cybersecurity requirements] was material to the government’s decision to enter into and pay on the relevant contracts.”

Conclusion

The court’s recent decision in this case should serve as a wake-up call to all federal government contractors that are subject to cybersecurity requirements. While government contractors have long feared that perceived noncompliance with federal cybersecurity requirements may give rise to liability under the False Claims Act, as noted above, the court’s decision in this case not only validates those fears, but provides a potential roadmap for other relators.

In light of this new reality, federal contractors would be wise to review and document their compliance with relevant cybersecurity requirements, and also be proactive when it comes to identifying and remedying any potential shortcomings.

If you have any questions about this noteworthy development, or about any related issues, please do not hesitate to contact Aron Beezley.

The Top 10 Horrible, Terrible No Good Mistakes Lawyers Make in Construction MediationsEffective representation of clients in construction mediations takes more than throwing together a mediation statement at the last second and showing up at the mediation. Doing it right requires the same kind of due diligence and work that goes into preparing for a key deposition or even trial. Great “mediation” lawyering is essential and is the best way to get to an acceptable deal. Over the years, I have compiled a list of the 10 most horrible, terrible, no good, “bang your head against the door” mistakes that I have seen lawyers make before, during, and after mediations in which I was the mediator. Below please find No. 10, and look for #’s 1-9 in future blog posts!

No. 10: Mediating Too Early or Too Late

Every dispute is different.  There are no firm rules as to when mediation should be considered. If the parties have a history, are in an ongoing relationship, will deal with each other in the future; and the legal fees/expenses will be substantial, it may make sense to try to set up an “early” mediation, even prior to the filing of a lawsuit. Sometimes the contract’s ADR clause requires mediation prior to litigation/arbitration. While those clauses can be waived, the issue is always whether the parties/counsel have enough information about the dispute to make good business decisions about settlement. Many times I have heard counsel say “I will be able to get an expert to support our claim,” which is not very persuasive to the other side when it is an expert-driven dispute. Sometimes there is a real concern that “final” offers made in an early mediation become sticking points for future settlement discussions. Early mediations can sometimes cause more problems, and make the parties madder at each other, especially with ego-driven clients (and yes, lawyers!). I have found that an early mediation is more likely to work is if there is a good working relationship between the lawyers who, working with an experienced mediator, can help manage the entire process (and their clients) to try to get an acceptable settlement early in the dispute.

What about “late” mediations just prior to trial? Will the parties agree to postpone a trial and stop the preparation process for a late mediation (of course, the Judge has to approve as well)? There are practical issues involved, such as finding a capable mediator at the last second and setting aside a full day (or longer) for mediation with trial counsel who have been furiously prepping for trial and who probably believe that the request is a stall tactic. My general experience is that since both sides know every inch of the other side’s case immediately prior to trial, if there is to be a last minute settlement, including during a trial, that can best accomplished between the parties/counsel without a mediator’s involvement.

So, the preferred timing for mediation is most likely sometime between early and late: a time when the parties know enough about the dispute to make well reasoned settlement decisions but not so late that the entire investment necessary for trial has already been made.

<i>Say What?</i> Statutes of Repose/Limitation May Not Be Defenses in Arbitration?Most private construction contracts contain binding arbitration clauses and apply the “law of the state where the project is located.” While arbitration is less formal than court/litigation, legal defenses are often raised, including whether a claim is barred by a statute of limitation or, in the case of construction claims, a statute of repose. A statute of repose, as opposed to a statute of limitation, with a few exceptions, means that no matter when the claimed defect is “discovered,” the claim is barred if not brought within a specific period of time after substantial completion. For example, in Tennessee a claim must be brought within four years of substantial completion or that claim is barred by the statute or repose. However, a recent arbitration ruling raises concerns about whether such statutes will apply in arbitration.

Most statutes of repose (and limitation) apply to “any and all actions.” In a recent arbitration case, an owner brought a $1.5 million defective work claim against its prime contractor 10 years after substantial completion of a project that was located in Tennessee. The contractor moved to dismiss the claim based upon Tennessee’s four-year statute of repose. However, the owner cited a few reported court cases (none from Tennessee) and argued that the word “action” in the statute of repose was intended by the legislature to apply only to court cases, not to arbitration. One point made by the owner was that the statute of repose was passed decades prior to any state passage of arbitration laws allowing courts to enforce arbitration agreements. The contractor argued that if statutes of repose (and limitation) do not apply when the parties agree to binding arbitration, contractors (and subcontractors) would have unlimited liability for years–even decades–after substantial completion.

A few states have surprisingly adopted the owner’s argument. However, in most of those cases, the state legislatures jumped in to clarify the law (but not in time for the particular contractor who had lost the argument).

The Tennessee arbitration panel ruled that the four-year statute of repose did not apply in arbitration, even though it was undisputed that the arbitration was commenced 10 years after the project was completed. The panel commented that this problem was up to the Tennessee Legislature to fix. The contractor was then forced to defend the owner’s alleged defect claim. While the panel ultimately found in favor of the contractor, the legal and arbitration fees were extensive and would have been avoided if the arbitration panel had applied the statute of repose.

What can be done to avoid such a result? One way is not to agree to arbitration. However, there are many other reasons to choose arbitration, and it has become the preferred method of dispute resolution in most design and construction contracts. Another suggestion is to check each state’s statute of repose to determine if the applicable state statutes use the same word “action” and then review any published case law on the issue. A proactive approach might include lobbying state legislatures to amend their statutes to ensure that “arbitration” is included in the definition of “action.” Finally, a helpful contract drafting suggestion would be to include, in any contract that calls for binding arbitration, a provision that states that in any arbitration the parties agree that the arbitrator(s) must apply any applicable statutes of repose and limitation.